In the not too distant future, the majority of new enterprise software deployments will be cloud-native, forever altering the information security team's core responsibilities. Picture a massive iceberg with only the tip visible above the surface of the water. Your cloud provider is responsible for the bulk beneath the surface - the infrastructure, networking, access control, etc. You are responsible for the tip - the application workload.

Google the term "AWS shared responsibility model" and you’ll find Amazon's AWS Shared Responsibility Model that, while specific to AWS, likely mirrors the security relationship you will have with any cloud provider.

I spoke to a number of attendees at RSA 2018 about their efforts to build DevSecOps teams, and most believe their organizations’ cultures can embrace the fusion of security and DevOps. That’s encouraging as more enterprises adopt containers to enable their DevOps team to build and ship cloud-native applications. However, that does not mean you should relinquish security responsibilities to the DevOps team. You must still oversee risk evaluation, create and enforce policies, and direct incident response.

I was not surprised to hear more RSA attendees say they are involving DevOps in security processes. We’re seeing more openness on the part of DevOps teams to get involved with security, and vice versa. The perception that Security too often puts up roadblocks to prevent them from getting more done in less time may still linger with DevOps, and Security may view DevOps as caring more about speed than security. But setting aside the old “Us vs. Them” mentality is critical now that containers have moved past the experimental phase, where early adopters used them only to build betas and proofs-of-concept. Today, enterprises are running multiple mission critical apps on containers.

The many benefits offered individually by containers, the cloud, microservices-based architectures, and devops increase by orders of magnitude when they are used together. Cloud-native application development, the model that delivers these exponential gains, also introduces a once-in-an-era opportunity to achieve a dramatic improvement in application security - one that puts an end to the endless (and futile) chase after threats and vulnerabilities, while struggling with an ever-increasing information security skill shortage. The key to this improvement is “left shifting” security

With Gartner predicting that by 2020 more than 50% of global enterprises will be running cloud-native, containerized applications in production, devops and devsecops teams need to act quickly if they are to integrate and automate security into cloud native build processes as they are being implemented. While cloud native enterprise apps operate at a much larger scale and are way complex than mobile apps, the mobile app development world has to a certain degree, already left shifted security. It’s worth a closer look to see what can be applied in enterprise settings.

In an analysis of ESG’s annual survey on the state of IT, security analyst Jon Oltsik reports that in 2018, respondents “once again” ranked cybersecurity skills as their #1 most problematic IT skills shortage. Their #2 response was IT architecture/planning, and the #3 response was server/virtualization administration.

In what seems like a sea of never-ending reports about the depth and severity of the cybersecurity skills shortage, it’s important to note that it doesn't exist in a vacuum. Cybersecurity spans wide range of duties. In the application security realm, a perfect storm of cultural disruption, technological innovation and good timing has led to the emergence of devsecops – a model for application security, that (among its many other benefits), is highly unlikely to be impaired or shortchanged by the cybersecurity skills shortage.